The following table lists the issues that are addressed in the PAN-OS® 7.1.9 release. For new features, associated software versions, known issues, and changes in default behavior, see
PAN-OS 7.1 Release Information
. Before you upgrade or downgrade to this release, review the information in
Upgrade to PAN-OS 7.1.

Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.

Issue ID

Description

WF500-3605

Fixed an issue where the WF-500 appliance created too many logs when generating PDF reports.

Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).

PAN-75005

Fixed an issue where loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removed authentication profiles from GlobalProtect portals and gateways, which caused an auto-commit failure.

Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.

PAN-74048

Fixed an issue where numerous NSX dynamic address updates caused Panorama to perform slower and to delay deployment of updates to firewalls. With this fix, you can use the
request partner vmware-service-manager dau-updater-time-interval time-interval CLI command to set the interval at which Panorama processes the NSX dynamic updates.

Fixed an issue where LDAP authentication failed intermittently when the firewall tried to connect to the LDAP server through a service route or after HA failover.

PAN-71455

Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.

Fixed an issue where an uninitialized general-purpose I/O (GPIO) controller driver caused the firewall to become unresponsive and require a reboot.

PAN-70541

A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).

PAN-70483

Fixed an issue on M-Series appliances in Panorama mode where Security policy rules did not display shared service groups in the service drop-down on the
Service/URL Category
tab if the drop-down had 5,000 or more entries.

PAN-70436

A security-related fix was made to prevent tampering with files that are exported from the firewall web interface (CVE-2017-7217).

PAN-70434

A security-related fix was made to prevent inappropriate disclosure of information through the firewall web interface (CVE-2017-721).

PAN-70426

A security-related fix was made to prevent firewall administrators from performing actions through the web interface that require higher privileges than their administrator roles allow (CVE-2017-7218).

PAN-70345

Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.

PAN-70323

Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error:
Import of failed. Unsupported digest or keys used in FIPS-CC mode
.

PAN-69882

Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.

PAN-69622

Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server when the SYN Cookies action was triggered.

Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set the
Number of Hits
(SSH hello messages) to
3
and
per seconds
to
60
, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.

PAN-68520

Fixed an issue where having multiple IPSec IKE gateways configured to the same peer IP address caused VPN tunnels to flap.

PAN-68431

Fixed an issue where firewalls and Panorama failed to send SNMPv3 traps if you configured the service route to forward the traps over a dataplane interface.

PAN-68210

Fixed an issue where administrators with custom roles could not use the firewall CLI to change the HA state or initiate HA synchronization for the firewall.

PAN-68185

Fixed an issue where the 7.1 SNMP traps MIB file (PAN-TRAPS.my) had an incorrect description for the panHostname attribute.

PAN-67629

Fixed an issue where existing users were removed from user-group mappings when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (
useridd
) logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4
Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found

PAN-67599

In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN-OS 7.1.9.

PAN-67503

Fixed an issue where the firewall automatically rebooted when you ran a Correlated Events query with more than 15 OR operators.

Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.

PAN-66610

Fixed an issue where memory usage errors occurred if the PAN-OS integrated User-ID agent was monitoring numerous servers for login events. With this fix, the User-ID agent queries five servers at a time to prevent the firewall from exhausting memory.
If you check
Grey Thong Flop Women's Flip Pink Heathered Cush New Balance Status
(
Device > User Identification > User Mapping > Server Monitoring
) during the initial attempt by the PAN-OS integrated User-ID agent to learn IP address-to-username mappings (or relearn mappings after a User-ID process restart, HA failover, or firewall reboot), you will see
Connected status only for those servers for which the agent has already begun to learn mappings. All servers will display as
Connected when the agent begins to learn mappings for the last set of servers.

Fixed an issue where the firewall displayed shared response pages instead of the custom response pages (Captive Portal, URL continue, and URL override) that were configured for specific virtual systems.

PAN-65969

Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.

PAN-65939

Fixed an issue where you could not download WildFire private cloud updates because the firewall checked for the updates using a proxy server even when you configured the firewall not to
Use Proxy Settings for Private Cloud
(
Device > Setup > WildFire
).

PAN-65669

Fixed an issue where the firewall did not apply a VLAN tag to BFD traffic on a VLAN subinterface.

PAN-64436

Fixed an issue on PA-7000 Series firewalls where creation of IGMP sessions failed because they were stuck in an OPENING state or the wrong state.

PAN-64317

Fixed an issue where IPv6 neighbor discovery failed intermittently due to a corrupted neighbor table.

PAN-63856

Fixed an issue where memory issues caused User-ID processes to restart when multiple firewalls redistributed a large number of IP address-to-username mappings.

PAN-63641

Fixed an issue where the firewall failed to establish connections from some virtual systems to Windows-based User-ID agents and Terminal Services agents.

PAN-63520

Fixed an issue where the firewall used the wrong source zone when logging virtual system-to-virtual system sessions.

Fixed an issue where Traffic logs indicated a session was decrypted even though it matched a Decryption policy rule that specifies no decryption and even though no decryption occurred.

PAN-62338

Fixed an issue where the firewall performed NAT translation incorrectly on the passive IP address in data packets when sending passive FTP connections over a proxy tunnel.

PAN-62015

Fixed an issue on PA-7000 Series firewalls where, when creating the key for a GRE packet, the firewall did not use the same default values for the source and destination ports in the hardware and software, which slowed the firewall performance.

PAN-61439

Fixed an issue where a Panorama management server that was not connected to the internet failed to deploy content updates to Log Collectors when you chose to
Install From File
.

PAN-61300

Fixed an issue where removing and adding a large number of Security policy rules caused Traffic logs to lose their rule name field, which resulted in a commit failure.

PAN-61252

Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.

PAN-60333

Fixed an issue where the firewall deployed in an HA active/active configuration with asymmetric routing dropped packets in TCP, ICMP, and UDP traffic.

PAN-59654

Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to PAN-OS 7.1.9 (or a later release) does not cause commit failures related to these settings.

Fixed an issue where processing Oracle application traffic caused the firewall to reboot.

PAN-58382

Fixed an issue where users were matched to the incorrect security policies.

PAN-58212

Fixed an issue where the dataplane restarted unexpectedly when firewalls deployed in an HA configuration missed heartbeats.

PAN-57888

Fixed an issue where the App Scope Traffic Map did not display the correct location of Samoa.

PAN-57529

Fixed an issue where the firewall acted as a DHCP relay and no wireless devices on a VLAN received a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.

PAN-57520

Fixed an issue where firewalls stopped connecting to Panorama when the root CA server certificate on Panorama expired. With this fix, Panorama replaces the original certificate with a new certificate that expires in 2024.

Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.

PAN-57349

Fixed an issue where numerous SSL sessions exhausted the memory pool that the firewall required to insert new certificates in its certificate cache.

PAN-57155

Fixed an issue where custom reports did not display a value for Day Received when running the report on demand (
Run Now
) while the web interface language was set to Japanese. (This was not an issue when exporting the report as a PDF, CSV, or XML file.)

PAN-55536

Fixed an issue where commit failures caused by the firewall commit queue being full did not display the correct error message.

PAN-55048

Fixed an issue where the firewall did not forward logs in the syslog format that you selected.

PAN-52739

Fixed an issue where virtual system administrators saw commit warnings for virtual systems that were outside the scope of their administrative role privileges.

PAN-49764

Fixed an issue where SNMP traps that the firewall generated did not include its system name or hostname.